1
Q
Which of the following should be the FIRST step in developing an information security plan?
A
Analyze the current business strategy
2
Q
Senior management commitment and support for information security can BEST be obtained through presentations that:
A
tie security risks to key business objectives.
3
Q
The MOST appropriate role for senior management in supporting information security is the:
A
approval of policy statements and funding.
4
Q
Which of the following would BEST ensure the success of information security governance within an organization?
A
Steering committees approve security projects
5
Q
Information security governance is PRIMARILY driven by:
A
business strategy.
6
Q
Which of the following represents the MAJOR focus of privacy regulations?
A
Identifiable personal data
7
Q
Investments in information security technologies should be based on:
A
value analysis.
8
Q
Retention of business records should PRIMARILY be based on:
A
regulatory and legal requirements.
9
Q
Which of the following is characteristic of centralized information security management?
A
Better adherence to policies
10
Q
Successful implementation of information security governance will FIRST require:
A
updated security policies.
11
Q
Which of the following individuals would be in the BEST position to sponsor the creation of an information security steering group?
A
Chief operating officer (COO)
12
Q
The MOST important component of a privacy policy is:
A
notifications.
13
Q
The cost of implementing a security control should not exceed the:
A
asset value.
14
Q
When a security standard conflicts with a business objective, the situation should be resolved by:
A
performing a risk analysis.
15
Q
Minimum standards for securing the technical infrastructure should be defined in a security:
A
architecture.
16
Q
Which of the following is MOST appropriate for inclusion in an information security strategy?
A
Security processes, methods, tools and techniques
17
Q
Senior management commitment and support for information security will BEST be attained by an information security manager by emphasizing:
A
organizational risk.
18
Q
Which of the following roles would represent a conflict of interest for an information security manager?
A
Final approval of information security policies
19
Q
Which of the following situations must be corrected FIRST to ensure successful information security governance within an organization?T
A
The data center manager has final signoff on all security projects.
20
Q
Which of the following requirements would have the lowest level of priority in information security?
A
Technical
21
Q
When an organization hires a new information security manager, which of the following goals should this individual pursue FIRST?
A
Establish good communication with steering committee members
22
Q
It is MOST important that information security architecture be aligned with which of the following?
A
Business objectives and goals
23
Q
Which of the following is MOST likely to be discretionary?
A
Guidelines
24
Q
Security technologies should be selected PRIMARILY on the basis of their:
A
ability to mitigate business risks.
25
Which of the following are seldom changed in response to technological changes?
Policies
26
The MOST important factor in planning for the long-term retention of electronically stored business records is to take into account potential changes in:
application systems and media.
27
Which of the following is characteristic of decentralized information security management across a geographically dispersed organization?
Better alignment to business unit needs
28
Which of the following is the MOST appropriate position to sponsor the design and implementation of a new security infrastructure in a large global enterprise?
Chief operating officer (COO)
29
Which of the following would be the MOST important goal of an information security governance program?
Ensuring trust in data
30
Relationships among security technologies are BEST defined through which of the following?
Security architecture
31
A business unit intends to deploy a new technology in a manner that places it in violation of existing information security standards. What immediate action should an information security manager take?
Perform a risk analysis to quantify the risk
32
Acceptable levels of information security risk should be determined by:
the steering committee.
33
The PRIMARY goal in developing an information security strategy is to:
support the business objectives of the organization.
34
Senior management commitment and support for information security can BEST be enhanced through:
periodic review of alignment with business management goals.
35
When identifying legal and regulatory issues affecting information security, which of the following would represent the BEST approach to developing information security policies?
Develop policies that meet all mandated requirements
36
Which of the following MOST commonly falls within the scope of an information security governance steering committee?
Prioritizing information security initiatives
37
Which of the following is the MOST important factor when designing information security architecture?
Stakeholder requirements
38
Which of the following characteristics is MOST important when looking at prospective candidates for the role of chief information security officer (CISO)?
Ability to understand and map organizational needs to security technologies
39
Which of the following are likely to be updated MOST frequently?
Procedures for hardening database servers
40
Who should be responsible for enforcing access rights to application data?
Security administrators
41
The chief information security officer (CISO) should ideally have a direct reporting relationship to the:
chief operations officer (COO).
42
Which of the following is the MOST essential task for a chief information security officer (CISO) to perform?
Develop an information security strategy paper
43
Developing a successful business case for the acquisition of information security software products can BEST be assisted by:
calculating return on investment (ROI) projections.
44
When an information security manager is developing a strategic plan for information security, the timeline for the plan should be:
aligned with the business strategy.
45
Which of the following is the MOST important information to include in a strategic plan for information security?
Current state and desired future state
46
Information security projects should be prioritized on the basis of:
impact on the organization.
47
Which of the following is the MOST important information to include in an information security standard?
Last review date
48
Which of the following would BEST prepare an information security manager for regulatory reviews? department
Perform self-assessments using regulatory guidelines and reports
49
An information security manager at a global organization that is subject to regulation by multiple governmental jurisdictions with differing requirements should:
establish baseline standards for all locations and add supplemental standards as required.
50
Which of the following BEST describes an information security manager's role in a multidisciplinary team that will address a new regulatory requirement regarding operational risk?
Evaluate the impact of information security risks
51
From an information security manager perspective, what is the immediate benefit of clearly defined roles and responsibilities?
Better accountability
52
An internal audit has identified major weaknesses over IT processing. Which of the following should an information security manager use to BEST convey a sense of urgency to management?
Risk assessment reports
53
Reviewing which of the following would BEST ensure that security controls are effective?
Security metrics
54
Which of the following is responsible for legal and regulatory liability?
Board and senior management
55
While implementing information security governance an organization should FIRST:
define the security strategy.
56
Information security policy enforcement is the responsibility of the:
chief information security officer (CISO).
57
A good privacy statement should include:
what the company will do with information it collects.
58
Which of the following would be MOST effective in successfully implementing restrictive password policies?
Security awareness program
59
When designing an information security quarterly report to management, the MOST important element to be considered should be the:
linkage to business area objectives.
60
An information security manager at a global organization has to ensure that the local information security program will initially ensure compliance with the:
data privacy policy where data are collected.
61
A new regulation for safeguarding information processed by a specific type of transaction has come to the attention of an information security officer. The officer should FIRST:
assess whether existing controls meet the regulation.
62
The PRIMARY objective of a security steering group is to:
ensure information security aligns with business goals.
63
Data owners must provide a safe and secure environment to ensure confidentiality, integrity and availability of the transaction. This is an example of an information security:
policy.
64
At what stage of the applications development process should the security department initially become involved?
At detail requirements
65
A security manager is preparing a report to obtain the commitment of executive management to a security program. Inclusion of which of the following would be of MOST value?
Associating realistic threats to corporate objectives
66
The PRIMARY concern of an information security manager documenting a formal data retention policy would be:
business requirements.
67
When personal information is transmitted across networks, there MUST be adequate controls over:
privacy protection.
68
An organization's information security processes are currently defined as ad hoc. In seeking to improve their performance level, the next step for the organization should be to:
ensure that security processes are consistent across the organization.
69
Who in an organization has the responsibility for classifying information?
Data owner
70
What is the PRIMARY role of the information security manager in the process of information classification within an organization?
Defining and ratifying the classification structure of information assets
71
Logging is an example of which type of defense against systems compromise?
Detection
72
Which of the following is MOST important in developing a security strategy?
Understanding key business objectives
73
Who is ultimately responsible for the organization's information?
Board of directors
74
Which of the following factors is a PRIMARY driver for information security governance that does not require any further justification?
Regulatory compliance
75
A security manager meeting the requirements for the international flow of personal data will need to ensure:
the agreement of the data subjects.
76
An information security manager mapping a job description to types of data access is MOST likely to adhere to which of the following information security principles?
Proportionality
77
Which of the following is the MOST important prerequisite for establishing information securitymanagement within an organization?
Senior management commitment
78
What will have the HIGHEST impact on standard information security governance models?
Complexity of organizational structure
79
In order to highlight to management the importance of integrating information security in the business processes, a newly hired information security officer should FIRST:
conduct a risk assessment.
80
Temporarily deactivating some monitoring processes, even if supported by an acceptance of operational risk, may not be acceptable to the information security manager if:
it implies compliance risks.
81
An outcome of effective security governance is:
strategic alignment.
82
How would an information security manager balance the potentially conflicting requirements of an international organization's security standards and local regulation?
Negotiate a local version of the organization standards
83
Who should drive the risk analysis for an organization?
Security manager
84
The FIRST step in developing an information security management program is to:
clarify organizational purpose for creating the program.
85
Which of the following is the MOST important to keep in mind when assessing the value of information?
The potential financial loss
86
What would a security manager PRIMARILY utilize when proposing the implementation of a security solution?
Business case
87
To justify its ongoing security budget, which of the following would be of MOST use to the information security department?
Cost-benefit analysis
88
Which of the following situations would MOST inhibit the effective implementation of security governance:
High-level sponsorship
89
To achieve effective strategic alignment of security initiatives, it is important that:
Inputs be obtained and consensus achieved between the major organizational units.
90
What would be the MOST significant security risks when using wireless local area network (LAN) technology?
Rogue access point
91
When developing incident response procedures involving servers hosting critical applications, which of the following should be the FIRST to be notified?
Information security manager
92
In implementing information security governance, the information security manager is PRIMARILY responsible for:
developing the security strategy.
93
An information security strategy document that includes specific links to an organization's business activities is PRIMARILY an indicator of:
alignment.
94
When an organization is setting up a relationship with a third-party IT service provider, which of the following is one of the MOST important topics to include in the contract from a security standpoint?
Compliance with the organization's information security requirements
95
To justify the need to invest in a forensic analysis tool, an information security manager should FIRST:
substantiate the investment in meeting organizational needs.
96
The MOST useful way to describe the objectives in the information security strategy is through:
attributes and characteristics of the "desired state."
97
In order to highlight to management the importance of network security, the security manager should FIRST:
conduct a risk assessment.
98
When developing an information security program, what is the MOST useful source of information for determining available resources?
Skills inventory
99
The MOST important characteristic of good security policies is that they:
are aligned with organizational goals.
100
An information security manager must understand the relationship between information security and business operations in order to:
support organizational objectives.
101
The MOST effective approach to address issues that arise between IT management, business units and security management when implementing a new security strategy is for the information security manager to:
refer the issues to senior management along with any security recommendations.
102
Obtaining senior management support for establishing a warm site can BEST be accomplished by:
developing a business case.
103
Which of the following would be the BEST option to improve accountability for a system administrator who has security functions?
Include security responsibilities in the job description
104
Which of the following is the MOST important element of an information security strategy?
Defined objectives
105
A multinational organization operating in fifteen countries is considering implementing an information security program. Which factor will MOST influence the design of the Information security program?
Cultures of the different countries
106
Which of the following is the BEST justification to convince management to invest in an information security program?
Increased business valueI
107
On a company's e-commerce web site, a good legal statement regarding data privacy should include:
a statement regarding what the company will do with the information it collects.
108
The MOST important factor in ensuring the success of an information security program is effective:
alignment with organizational goals and objectives.
109
Which of the following would be MOST helpful to achieve alignment between information security and organization objectives?
A security program that enables business activities
110
Which of the following BEST contributes to the development of a security governance framework that supports the maturity model concept?
Continuous analysis, monitoring and feedback
111
The MOST complete business case for security solutions is one that:
includes appropriate justification.
112
Which of the following is MOST important to understand when developing a meaningful information security strategy?
Organizational goals
113
Which of the following is an advantage of a centralized information security organizational structure?
It is easier to manage and control.
114
Which of the following would help to change an organization's security culture?
Obtain strong management support
115
The BEST way to justify the implementation of a single sign-on (SSO) product is to use:
a business case.
116
The FIRST step in establishing a security governance program is to:
obtain high-level sponsorship.
117
An IS manager has decided to implement a security system to monitor access to the Internet and prevent access to numerous sites. Immediately upon installation, employees flood the IT helpdesk with complaints of being unable to perform business functions on Internet sites. This is an example of:
conflicting security controls with organizational needs.
118
An organization's information security strategy should be based on:
managing risk relative to business objectives.
119
Which of the following should be included in an annual information security budget that is submitted for management approval?
A cost-benefit analysis of budgeted resources
120
Which of the following is a benefit of information security governance?
Reduction of the potential for civil or legal liability
121
Investment in security technology and processes should be based on:
clear alignment with the goals and objectives of the organization.
122
The data access requirements for an application should be determined by the:
business owner.
123
From an information security perspective, information that no longer supports the main purpose of the business should be:
analyzed under the retention policy.
124
The organization has decided to outsource the majority of the IT department with a vendor that is hosting servers in a foreign country. Of the following, which is the MOST critical security consideration?
Laws and regulations of the country of origin may not be enforceable in the foreign country.
125
Effective IT governance is BEST ensured by:
utilizing a top-down approach.
126
The FIRST step to create an internal culture that focuses on information security is to:
gain the endorsement of executive management.
127
Which of the following is the BEST method or technique to ensure the effective implementation of an information security program?
Obtain the support of the board of directors.
128
When an organization is implementing an information security governance program, its board of directors should be responsible for:
setting the strategic direction of the program.
129
A risk assessment and business impact analysis (BIA) have been completed for a major proposed purchase and new process for an organization. There is disagreement between the information security manager and the business department manager who will own the process regarding the results and the assigned risk. Which of the following would be the BEST approach of the information security manager?A
Review of the assessment with executive management for final input
130
Who is responsible for ensuring that information is categorized and that specific protective measures are taken?
Senior management
131
An organization's board of directors has learned of recent legislation requiring organizations within the industry to enact specific safeguards to protect confidential customer information. What actions should the board take next?
Require management to report on compliance
132
Information security should be:
a balance between technical and business requirements.
133
What is the MOST important factor in the successful implementation of an enterprise wide information security program?
Support of senior management
134
What is the MAIN risk when there is no user management representation on the Information Security Steering Committee?
Information security plans are not aligned with business requirements
135
The MAIN reason for having the Information Security Steering Committee review a new security controls implementation plan is to ensure that:
the plan aligns with the organization's business plan.
136
The MAIN reason for having the Information Security Steering Committee review a new security controls implementation plan is to ensure that:
the plan aligns with the organization's business plan.
137
Which of the following should be determined while defining risk management strategies?
Organizational objectives and risk appetite
138
When implementing effective security governance within the requirements of the company's security strategy, which of the following is the MOST important factor to consider?
Preserving the confidentiality of sensitive data
139
Which of the following is the BEST reason to perform a business impact analysis (BIA)?
To help determine the current state of risk
CISM Study Questions C
flashcards
Decks in class (5)
# Cards
